Over 40 million websites use LetsEncrypt SSL Certs already. Undoubtedly, it has been a great relief for DevOps and site owners to have a little security for their users for free in the form of HTTPS.
Having to go into manually update the 3-month expiry certificates LetsEncrypt generates for you each time can be boring and annoying, especially if you’re managing many domains.
I’m currently manage 5 domains SSL with LetsEncrypt.
Automating the process of renewal when certificates are already generated is priceless, and so, for a second, let’s all wear the ‘Dumb’ DevOps hat, and save our souls with scripts that get the job done for us.
This article assumes these steps have been taken care off already:
- Server is Ubuntu 16.04 LTS
- Server is using Nginx
- LetsEncrypt is installed
- Certificate for domains is already generatedStandalone approach and activated accordingly and appropriately to work with Nginx.
With the above in mind, we want to have this happening:
- Run a script which will attempt to autorenew certificates every week. I chose Sundays at 00:00 GMT
I chose the that time because it is within a timeslot where my server generally receives the least t none traffic
To keep running a script each week, we turn to Cron!
This Cron task would do the job:
$ sudo crontab -e
# Run renewal script weekly at 00:00 GMT on Sundays
# If something goes wrong, email me!
0 0 * * 0 /opt/renew-ssl >> /path/to/mylogs/le-renew.log && curl -sm 30 email@example.com/<cronjob-name>?c=0_0_*_*_0
/opt/renew-ssl script will then look like this:
service nginx stop
service nginx start
Does it work? Yes.
Is it the most fanciful? No
We sleep 5 seconds to give ample time for the Nginx service to stop. We don’t want a situation where Nginx doesn’t finish shutting down but LetsEncrypt kicks in.
Sleeping 5 seconds is like 450 years in computer’s view of time, which is more than necessary to ensure Nginx is fully stopped
Since I use the standalone approach, to renew certificates, port 80/443 must be available for LetsEncrypt to do its thing. Thus, we stop Nginx.
We wait 5 seconds, then issue the obvious command.
Nginx is then started again.
Does it run?
To check if the script runs, after the 00:00 on Sundays, go check the
/path/to/mylogs/le-renew.log file for the latest timestamp of which the file was modified. If it matches a 00:00 GMT, then be happy.
Duh! You could simply open the
le-renew.log file to inspect the contents of logs.
Until LetsEncrypt entered, getting SSL Certs for websites didn’t come this easy.
Big thanks to LetsEncrypt for making the web a little safer to browse. Now you can browse your HTTPS-enabled websites, such as Khophi.co and all our client and personal projects, knowing your communication is to a great extent, secured and safe!